VM

Expand all | Collapse all

Can VM:Secure audit DIAG84 calls?

  • 1.  Can VM:Secure audit DIAG84 calls?

    Posted 09-29-2016 05:58 PM

    We're implementing password encryption and the Rules doc includes:  "Pay particular attention to any software that requires a link to the CP object directory or access to the source directory and any program using DIAGNOSE X’84’."  And it would be nice to know who/what is using it so we could look and see how they're using it and if it's impacted.

     

    Any thoughts other than put it in and see what fails?

    Lee



  • 2.  Re: Can VM:Secure audit DIAG84 calls?

    Posted 09-30-2016 10:16 AM

    VM:Secure doesn't interact with diagnose X'84' calls in any way.  So there isn't any way to tell if this is in use other than watching for a failure.

     

    However, you may want to cause this failure before encryption to find areas to check before hand. Another way to cause a failure before you encrypt the passwords  is to change the privilege class for the diagnose so it is assigned a class alone, at least temporarily. It will fail due to not having the correct privilege class which could be easily fixed (add the class to the directory entry) but this allows you to trap the use so you can check what is using the diagnose it to see if password will be an issue.

     

    Either way, it will be a failure that tells you something doesn't work. It may give you some advantage to find these issues before you encrypt the passwords, it may not.



  • 3.  Re: Can VM:Secure audit DIAG84 calls?

    Posted 09-30-2016 10:26 AM

    To echo what Yvonne said, Diag 84 should never be used in a VM:Secure environment. It was intended to be used only by Dirmaint and that product is mutually exclusive with VM:Secure.



  • 4.  Re: Can VM:Secure audit DIAG84 calls?

    Posted 09-30-2016 05:15 PM

    Thanks...  Good idea on the privclass change..   What I don't want is to have to take a prime time outage to remove pw encryption...

     

    I am curious though...  Aside from DIRMAINT, the ids that have OPTION D84NOPASS are VMSECURE and the VMX$0001/2  ids...    So it looks like he uses it...



  • 5.  Re: Can VM:Secure audit DIAG84 calls?

    Posted 09-30-2016 06:04 PM

    Yes, there are some uses of DIAGNOSE X'84' in the product. It is used when you use the MAINT command to make an account number change with the TEMP option.  It is also is used for certain circumstances in the CHGVOLNM logic.  The use is very limited and for things that we want to put in the object but not necessarily to the source directory such as the temporary update for the account number.



  • 6.  Re: Can VM:Secure audit DIAG84 calls?

    Posted 09-30-2016 06:13 PM

    Thanks...   Those aren't things we normally  use, so we shouldn't break VMSECURE if we change the Diag84 class for a while...   Thanks again...



  • 7.  Re: Can VM:Secure audit DIAG84 calls?

    Posted 09-30-2016 06:21 PM

    The only other product I can think of that has a special use for Diagnose X'84' is VM:Batch. If you use VM:Batch you will need to give it the class in order for it to get access to the disks of the users that submit VM:Batch jobs.



  • 8.  Re: Can VM:Secure audit DIAG84 calls?

    Posted 10-06-2016 06:24 PM

    Thanks for those hints...   We'll try to break things before we encrypt..

     

    One more question....   Is there any way for the PASSWORD exit to know if it's dealing with the PEF format call or not?  It looks like I have to have 2 different execs and swap them when I turn PEF on or off...   Did I miss something?

    Thanks,   Lee



  • 9.  Re: Can VM:Secure audit DIAG84 calls?

    Posted 10-10-2016 12:28 PM

    Hi Lee,

    Sorry for the delayed reply to this Lee, I was out of office last week.

     

    You are correct. There isn't any way to know in the exit if you are running with password encryption so you have to have a version that gets the new password from the right place once you have encrypted your passwords.

    Best Regards,

       Yvonne